Overview

  • Multiple documents should be reviewed during the pre-engagement period:
    • Non-Disclosure Agreement (NDAs)
      • NDAs can come in different types: unilateral, bilateral, multilateral. Each of these will protect only one party, both parties, or multiple parties from disclosing information discovered. Multilateral NDAs could be used for cooperative or hybrid networks that may affect more than one party.
    • Scoping Questionnaire
      • Such tests could include: internal pentest, external pentest, internal vuln assessment, external vuln assessment, wireless assessment, physical security assessment, application security assessment, social engineering assessment, web app assessment
        • External pentest is the full picture; Similar to how an attacker would get in, it starts with the attacker on the outside of the environment, probing publicly available infrastructure to attempt to gain a foothold
        • Internal pentest can start after successful exploitation during the external pentest, or can start as part of an "assumed-breach" scenario to test what would happen if the external defenses were breached.
      • Each test should have further questions. Example: for social engineering, should this be restricted to just email phishing? Or are phone calls (vishing), text messages (smishing) or in person attacks acceptable?
    • Pentesting Proposal (Contract / Scope of Work)
      • A signed scope of work (SOW) or contract is crucial for setting the guardrails of what can be tested. This should be in writing and signed by a authorized signatory for the target. Validation of the signatory to confirm they are eligible to commence a penetration test is crucial to ensuring the pentester is protected during or after the test.
      • Information about the scope such as # of live hosts, IPs/CIDR ranges, domains, wireless SSIDs, web/mobile apps, targeted users, physical locations, targeting of AD, bypassing of controls (NAC, firewall, AV).etc
      • Define critical infrastructure that is out of scope
    • Rules of Engagement (RoE)
      • see below for some of the sections that could be included
    • Contractors Agreement
      • required for physical tests if a pentester is caught and police are called
    • After-Assessment Reports
      • All the notes from the assessment should be revised and aggregated into a final report

These sections can be a part of multiple of the above documents, particuarly the RoE

  • Goals
    • Milestones that must be achieved during the engagement
  • Pentest Type
    • Scoping should be exhaustive to determine what type of test is being requested. This can be done with a questionnaire
  • Methodologies
    • OWASP, OSSTMM.etc
  • Pentesting Locations
    • Internal, or remote.etc
  • Time Estimation
    • At least start and end dates for the full engagement
    • Determining time windows for each phase and if testing should occur during work hours or after
  • Third Parties
    • Cloud Providers, ISPs, hosting providers may need to be looped into the agreement depending on the targeted infrastructure
  • Evasiveness
    • The stealthiness of the test should also be considered. Should it be evasive and attempt to be undetected the entire time? Should it be a hybrid and start stealthy but can ramp up to determine when the controls are able to detect the activity? Or is stealth not required and tooling can be loud and hammer away, barring denial-of-service or being destructive.
  • Risks
    • Risks and consequences should be outlined. While the intent is not to cause a system outage, it is possible that the exploitation of a vulnerability could inadvertently take a system down.
    • Brute-forcing can cause user accounts to lock-out
  • Information Handling
    • Laws and regulations can differ depending on the target's industry and location. All laws need to be researched beforehand to ensure compliance during testing
      • GDPR is a data privacy regulation that impacts personal data and information disclosure for European entities. The US does not have a national data regulation, but some states such as California have their own version that needs to be considered, if applicable.
      • Target's industry can impact data disclosure as well. Healthcare organizations in the US have to respect HIPAA. School districts in the US need to be mindful of COPPA. Financial institutions also have other regulations such as SOX or GLBA.
  • Contact Information
    • Name, job title, email, phone number and escalation priority order during the engagement
  • Lines of Communication
    • What channels should be used during the engagement? Email, phone, in-person meetings.etc

This phase should always boil down to these main points:

  • Written consent from the owner or authorized agent of the network is required before testing begins, including a range of IPs / domains that are in-scope for testing
  • The scope can not be breached without additional written and signed addendums to the contract
  • Exploits should not damage the systems or network being tested
  • Access to discovered personal or company-confidential data should not be accessed without written consent. This is paramount to complying with the multitude of data disclosure regulations globally.
  • Intercepting communications (emails, phone calls) needs consent of one of the parties to prevent breach of wire-tapping or monitoring laws
  • Certain regulatory systems, such as systems under HIPAA, require additional authorization before testing can occur to prevent data disclosure, or downtime of critical infrastructure. For each pentest engagement, a new VM should be stood up. This prevents any traces of data from the last engagement and ensures we are starting with a clean slate.
  • Kali Linux or ParrotOS come with a breadth of tools to get off the ground running quickly.